Failed to bring up Etcd Plane: etcd cluster is unhealthy: hosts failed to report healthy. Not sure why the RKE certs are a problem, they are self signed. This is a new/first time rke version v1.2.8 setup on clean vms. container on host : Error response from daemon: driver failed programming external connectivity on endpoint rke-cp-port-listener (84f539941117bea89eecb4aa64a939ddbb155e32a2ec89dc51d12673772c95a8): (iptables failed: iptables -wait -t nat -A DOCKER -p tcp -d 0/0 -dport 6443 -j DNAT -to-destination 172.17.0.2:1337 ! -i docker0: iptables: No chain/target/match by that name. Time="" level=info msg="Starting plan monitor, checking every 15 seconds" Time="" level=warning msg="Error while getting agent config: invalid response 500: \"c-jmfzn/m-cdb2f653c9e4\" not found" Time="" level=info msg="Connecting to proxy" url="wss:///v3/connect/register" Time="" level=info msg="Connecting to wss:///v3/connect/register with token 5nsh66fbstvtwb8qhbfg49dq9t4nhscpr7dwmw7lzk2thlxp6g2l5g" Time="" level=info msg="Option etcd=true" Time="" level=info msg="Option customConfig=map roles: taints:]" Time="" level=info msg="Option requestedHostname=kubelet-etcd-pgh03" Time="" level=info msg="Option worker=false" Time="" level=info msg="Option controlPlane=false" Time="" level=info msg="Rancher agent version v2.5.7 is starting" Time="" level=info msg="Listening on /tmp/log.sock" Time="" level=info msg="node kubelet-etcd-pgh03 is not registered, restarting kubelet now" INFO: Environment: CATTLE_ADDRESS=10.70.12.195 CATTLE_INTERNAL_ADDRESS= CATTLE_NODE_NAME=kubelet-etcd-pgh03 CATTLE_ROLE=,etcd CATTLE_SERVER= CATTLE_TOKEN=REDACTED So now I have a diff error in registering the nodes:įrom the docker logs INFO: Arguments: -server -token REDACTED -etcd Openssl s_client -showcerts -connect :443 I have now figured out how to bind the intermediate in the citrix and make sure it gets sent. I have restarted the rancher pods, tried variations of certs in the tls.crt file and added both the intermediate and root cert to the LB setup.Īny ideas on how to get the RKE cluster to register? Willing to start over - re-do the whole rancher setup etc.Īhh. error: Get \"https : // \": x509: certificate signed by unknown authority" Certificate information is displayed above. Time="" level=fatal msg="Certificate chain is not complete, please check if all needed intermediate certificates are included in the server certificate (in the correct order) and if the cacerts setting in Rancher either contains the correct CA certificate (in the case of using self signed certificates) or is empty (in the case of using a certificate signed by a recognized CA). Time="" level=info msg="PublicKeyAlgorithm: RSA" Time="" level=info msg="SignatureAlgorithm: SHA256-RSA" I have gone over the TLS setup and verified the certs we used to create the ]# openssl verify -verbose -CAfile " Waiting for etcd, controlplane and worker nodes to be registered This cluster is currently Provisioning areas that interact directly with it will not be available until the API is ready. We have not been able to import a new RKE cluster into rancher. We have it sitting behind a Citrix LB and the certs/setup seem fine (at least to the browsers). It’s a 2-node setup with certs from geotrust. We have setup a production HA rancher cluster with K3S: v1.20.6 k3s1.
0 Comments
Leave a Reply. |